<p>Log management is an important topic, especially for the security of a web application, to ensure user activity, including potential attackers, is
recorded and available for an analyst to understand what’s happened on the web application in case of malicious activities.</p>
<p>Retention of specific logs for a defined period of time is often necessary to comply with regulations such as GDPR, <a
href="https://www.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf">PCI DSS</a> and others. However, to protect user’s
privacy, certain informations are forbidden or strongly discouraged from being logged, such as user passwords or credit card numbers, which obviously
should not be stored or at least not in clear text.</p>
<h2>Ask Yourself Whether</h2>
<p>In a production environment:</p>
<ul>
  <li> The web application uses confidential information and logs a significant amount of data. </li>
  <li> Logs are externalized to SIEM or Big Data repositories. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Loggers should be configured with a list of confidential, personal information that will be hidden/masked or removed from logs.</p>
<h2>Sensitive Code Example</h2>
<p>With <a href="https://www.npmjs.com/package/signale">Signale log management framework</a> the code is sensitive when an empty list of secrets is
defined:</p>
<pre>
const { Signale } = require('signale');

const CREDIT_CARD_NUMBERS = fetchFromWebForm()
// here we suppose the credit card numbers are retrieved somewhere and CREDIT_CARD_NUMBERS looks like ["1234-5678-0000-9999", "1234-5678-0000-8888"]; for instance

const options = {
  secrets: []         // empty list of secrets
};

const logger = new Signale(options); // Sensitive

CREDIT_CARD_NUMBERS.forEach(function(CREDIT_CARD_NUMBER) {
  logger.log('The customer ordered products with the credit card number = %s', CREDIT_CARD_NUMBER);
});
</pre>
<h2>Compliant Solution</h2>
<p>With <a href="https://www.npmjs.com/package/signale">Signale log management framework</a> it is possible to define a list of secrets that will be
hidden in logs:</p>
<pre>
const { Signale } = require('signale');

const CREDIT_CARD_NUMBERS = fetchFromWebForm()
// here we suppose the credit card numbers are retrieved somewhere and CREDIT_CARD_NUMBERS looks like ["1234-5678-0000-9999", "1234-5678-0000-8888"]; for instance

const options = {
  secrets: ["([0-9]{4}-?)+"]
};

const logger = new Signale(options); // Compliant

CREDIT_CARD_NUMBERS.forEach(function(CREDIT_CARD_NUMBER) {
  logger.log('The customer ordered products with the credit card number = %s', CREDIT_CARD_NUMBER);
});
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/">Top 10 2021 Category A9 - Security Logging and
  Monitoring Failures</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/532">CWE-532 - Insertion of Sensitive Information into Log File</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
  Exposure</a> </li>
</ul>
